here.
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3wA” float=”none”]What does a Board of Directors need to facilitate an unstructured dialog with management?[/tweet_box]]]>
Author: admin
prevent, detect and remediate. In addition to getting its regulatory house in order, Wells Fargo has one very large culture problem which needs compliance expertise. Even for a former Bank president, the issue of compliance is at the absolute forefront of Wells Fargo’s miasma.
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3vL” float=”none”]Wells Fargo needs a true compliance expert on its Board of Directors.[/tweet_box]]]>
Dunkirk and the leadership lessons can be drawn from the movie and historical events. If you have not seen it, I suggest you go to see what I believe is the summer’s top movie, Dunkirk. It is great cinema, has a good history, and presents the view of soldiers on the ground from the English perspective. It unfolds on land, sea, and air; in decreasing time frames of one week, one day, and one hour. I was lucky enough to see it on glorious 70MM widescreen, so the resolution was outstanding. I believe several leadership lessons can be learned from the British (and German) experiences at Dunkirk. Every business leader should study Dunkirk for key lessons on leadership.
The Chickenshit Club by Jesse Eisinger may mean for the compliance practitioner. We consider the internal journey of the Department of Justice from their days of Enron, WorldCom, and Adelphia convictions to the 2008 financial crisis where no senior executives were prosecuted. A series of steps led to this change, and we discuss the key changes in the DoJ’s thinking. The book is a real page-turner, and our discussion reflects this. We believe that every compliance practitioner should read the book and understand its lessons from DOJ prosecution. Every compliance practitioner should read Eisinger’s book The Chickenshit Club. You can purchase a copy of the book The Chickenshit Club by clicking here.]]>
Planning for Big Data – A CIO’s Handbook to the Changing Data Landscape”, by the O’Reilly Radar Team, featured a chapter by Alistair Croll, entitled “The Feedback Economy” which informs today’s discussion. Croll believes that big data will allow continuous improvement through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to make your business more agile, efficient and profitable is. Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the business leader this means that if your company is able to collect and analyze information better and you can act on that information faster. Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data. The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud. A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.” Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.” Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments. Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks. Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”. The OODA loop coupled with the data that is available to you should facilitate a more agile and directed business. The feedback components allows you to make adjustments literally on the fly. If that does not meet the definition of continuous improvement, I do not know what does. [tweet_box design=”default” url=”http://wp.me/p6DnMo-3u4″ float=”none”]The OODA feedback loop allows you to make business adjustments literally on the fly. [/tweet_box]]]>
In this episode, we discuss the key role Board of Directors around oversight of strategy and risk. Mutual of Omaha Insurance Company and Virtus Investment Partners. She is a thought leader, regular contributor, and speaker on governance, strategy, and leadership. Prior to her board service, Ms. Hooda held senior operating roles at TIAA, Credit Suisse Investment Bank, Thomson Reuters, and McKinsey & Co. across the US, Europe, and Asia/India. Ms. Hooda is a lifetime member of the Council on Foreign Relations and serves on boards focusing on Education, Women’s Empowerment, and Global Policy. The Board of Directors has a key role in the oversight of strategic risk for an organization.
Integrity Corp. 50 Tips for Your Compliance Program in the Post-Soviet States”. Timur has worked in compliance, legal, consulting, and corporate governance roles in Russia, Uzbekistan, the United States, Kazakhstan, and Ukraine. He has successfully launched and supervised execution of compliance programs for global and local businesses in the mining, energy, and pharmaceutical industries.
Tim has also recently released the first two installment of Compliance Man the first graphic novel of a compliance practitioner. You can find out more about Tim on his firm’s website, Complianceinpostussr.com.
We look at the former Soviet Union states, one of the most interesting region for Compliance professionals. we will touch 10 hot questions on corporate ethics in this region. Tim answers the following questions
1: Can we define this region as a single territory for the Compliance program structuring?
2: What regulatory trends should be taken in consideration by compliance practitioners in charge of this geography?
3: What is the biggest challenge in embedding corporate Compliance program in this region?
4: Do you have any practical recommendations as to “dissemination of integrity” among personnel locally?
5: Is it legally permissible to deploy our FCPA/UKBA programmes in the countries of the region?
6: What is the most effective way to deliver training in this part of the world?
7: If there are any important things to remember when imposing penalties for misconduct on local personnel?
8: Do people on the ground appreciate compliance & ethics efforts?
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3tv” float=”none”]
What are some key compliance considerations in post-Soviet states?
[/tweet_box]
]]>
Oversight – What compliance expertise has been available on the board of directors?”, you need to have not only the structure of the Board Level Compliance Committee but also the specific subject matter expertise (SME) on the Board and on that committee.
Finally, recognizing that compensation can be a powerful motive to induce ethical and even business appropriate behavior the Board recommended that it use compensation to hold senior executives accountable by “incorporating ethical business practices, diversity and inclusion, and other values from Uber’s Business Code of Conduct into its executive compensation program. This compensation program would be coupled with training on the company’s revamped ethical business practices, diversity, inclusion and other key corporate values.
As is often the case, it is the editorial board at the FT which has some of the best advice for businesses, both in the UK and the US. In a piece entitled “At Uber, counting the cost of winner take all” the paper said, there are three groups which can influence the behavior for Uber going forward: the company’s owners, largely Kalanack and his cronies; the Board of Directors, think about Bonderman at this point; and its customers, IE., you and me. As to the final group, we can vote with our pocketbook by changing over to other ride-sharing companies such as Lyft.
Most importantly, the Uber ownership structure is a forbearer of ownership being concentrated in the hands of a few key founders. If they do not put compliance and ethics into the ethos of the company at an early phase, they cannot be forced to do so by shareholders or investors. This anomaly will make independent Boards of Directors more critical for getting such companies ready to go public. For if such companies cannot meet the requirements of a public company, everyone loses.
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3sZ” float=”none”]
What role did the Uber Board play in its culture disaster and what role must it play going forward?
[/tweet_box]
© Thomas R. Fox, 2017]]>
Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur, and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board regularly? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”
Interestingly, Foreign Corrupt Practices Act (FCPA) compliance follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became the mainstays of any company’s best practices in the area of safety. These techniques inform any anti-corruption best practices compliance program under the FCPA, UK Bribery Act, or any other anti-corruption regime. Indeed, audits are delineated explicitly in the 2012 FCPA Guidance to assist in continuously monitoring your compliance regime. Such an audit can be thought of as a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. Three factors are critical for a compliance audit to have a chance for success: (1) an effective audit program that specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. Auditing can take several different forms in an anti-compliance program. Of course, you should audit the compliance program in your organization. A forensic audit can collect and analyze accounting and internal-control evidence in your compliance regime. This information can produce a fact-based report informing the decision-making process in inquiries, investigations, and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur.
Further, an internal audit can review compliance processes to determine if employees follow prescribed procedures or internal controls. In addition to collecting and analyzing evidence, an auditor’s objective is to attest to the credibility of assertions under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. One of the functions of such an audit is to determine if further investigation is warranted. Once again, this situation points out the difference between having a paper compliance program and the actual doing of compliance. Even with an appropriate oversight structure, you must do the work in the future. Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties, below are some of the areas you may wish to consider reviewing:
- Contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
- Determine that actual due diligence took place on the third party.
- Review the compliance training program for any third party, both the substance of the program and attendance records.
- Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so, how are such reports maintained? Review any reports of compliance violations or issues that arose through an anonymous hotline or any other reporting mechanism.
- Does the third party have written employee discipline procedures? If so, have any employees been disciplined for any compliance violations? If yes, review all relevant files relating to any such violations to determine the process used and the outcome reached.
- Review expense reports for employees in high-risk positions or high-risk countries.
- Testing for gifts, travel, and entertainment that were provided to or for foreign governmental officials.
- Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer, to whom, and how does that compliance officer report? How is the third-party vendor’s compliance program designed to identify risks, and what has resulted from any so identified?
- Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
- Concerning any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and use analytical procedures and testing.
Auditing is a more limited review that targets a specific business component, region, or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, and everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.
Three Key Takeaways
- Auditing takes a deep dive into your high-risk compliance areas.
- Internal audits should test your key FCPA risk areas as a part of their regular auditor rotation.
- The findings uncovered in an audit must be used in your compliance regime.
The compliance audit is a key component in the continuous improvement of a compliance program. [/tweet_box] For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor, Affiliated Monitors, at www.affiliatedmonitors.com.
Continuous improvement requires you to audit and monitor whether employees are staying with the compliance program. In addition to the language in the FCPA Guidance, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit, and respond quickly to misconduct allegations. These three activities are vital components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. The 2012 FCPA Guidance goes on to make clear that each company should assess and manage its risks. It notes that small and medium-sized enterprises likely will have different risk profiles and, therefore, different attendant compliance programs than large multinational corporations.
Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ but is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
Ongoing monitoring is one handy tool often misused or misunderstood in the continuous improvement cycle. This can come from the confusion about the differences between monitoring and auditing. Monitoring involves reviewing and detecting compliance variances in real-time and reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program regularly and consistently across a broad spectrum of data and information. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, mainly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although the protocol is unique, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to investigate the issue further. Your company should establish a regular monitoring system to address problems. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should check in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. These ongoing efforts demonstrate that your company is serious about compliance. What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement by using the following:
- Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company.
- Design an Execution Plan. The “Keep it Simple, Sir” or KISS method is best for moving forward. This would suggest that there should be a simple and straightforward plan for each compliance goal to ensure that the goal in question is being addressed.
- Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representative to put these in place and then mandate a reporting requirement on how the task assigned is being achieved.
- Schedule the Next Review of the Plan. There should be a regular review of the process. It allows any problems that may arise to be detected and corrected more quickly than if meetings are held less frequently.
It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will implement a mechanism to demonstrate your company’s commitment to compliance by following through on the intentions outlined in your strategic plan. Continuous improvement through monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would help if you built a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
- Your compliance program should be continually evolving.
- Monitoring and auditing are different yet complementary tools for continuous improvement.
- DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.
Continuous improvement is a key component of a best practices compliance program. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor, Affiliated Monitors, at www.affiliatedmonitors.com.
